Héctor Sarrión

**Name of the Vulnerable Software and Affected Versions** Deporsite by T-INNOVA (affected versions not specified) **Description** The application lacks proper authorization, allowing an unauthenticated attacker to obtain information from other users. This is achieved by sending a GET request to the `/ajax/TInnova v2/Integrantes Recurso v2 1/llamadaAjax/buscarPersona` endpoint, utilizing the `dni` parameter. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Deporsite by T-INNOVA (affected versions not specified) **Description** A lack of authorization exists in Deporsite by T-INNOVA. An unauthenticated attacker can modify other users' profile pictures by sending a POST request to the `/ajax/TInnova c/FotoUsuario/llamadaAjax/uploadImage` API endpoint. The request utilizes the `IdPersona` and `Foto` parameters to perform this action. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.